Hackers Use Fake ChatGPT and Claude Installers to Deploy DinDoor Backdoor
Cybersecurity NewsArchived May 27, 2026✓ Full text saved
A new malware campaign is targeting content creators, gamers, and AI enthusiasts by disguising itself as popular software tools like ChatGPT and Claude. The attackers are spreading a dangerous backdoor called DinDoor through fake installers hosted on trusted platforms, catching many users completely off guard. The campaign has gained significant traction, partly because it uses […] The post Hackers Use Fake ChatGPT and Claude Installers to Deploy DinDoor Backdoor appeared first on Cyber Security
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeCyber Security News
Hackers Use Fake ChatGPT and Claude Installers to Deploy DinDoor Backdoor
By Tushar Subhra Dutta
May 27, 2026
A new malware campaign is targeting content creators, gamers, and AI enthusiasts by disguising itself as popular software tools like ChatGPT and Claude.
The attackers are spreading a dangerous backdoor called DinDoor through fake installers hosted on trusted platforms, catching many users completely off guard.
The campaign has gained significant traction, partly because it uses compromised YouTube channels to push traffic toward the malicious files.
Videos on these channels have already accumulated more than 50,000 views, making this a far-reaching threat that extends well beyond a small handful of victims.
Researchers at Malwarebytes identified the campaign after spotting suspicious fake installers and plugins on GitHub and SourceForge.
The researchers noted that the malware impersonates well-known software brands including ChatGPT, Claude, Ableton Live, AutoTune, and Kontakt, making the deception particularly convincing for users who trust these names.
The attackers rely heavily on the credibility of legitimate platforms to make their fake projects look real.
Since GitHub and SourceForge are trusted by millions of developers and everyday users, victims are far less likely to question the authenticity of what they are downloading.
Compromised YouTube channels with AI-generated videos (Source – Malwarebytes)
Malwarebytes said in a report shared with Cyber Security News (CSN) that once installed, DinDoor acts as a backdoor that connects to a command-and-control server and delivers a fully capable remote access Trojan, or RAT.
This RAT can steal data from browsers and crypto wallets, capture screenshots, record clipboard activity, and even spy on victims through a hidden video stream using the Microsoft Edge browser as cover.
How the DinDoor Backdoor Infects Victims
The infection begins when a user visits a malicious GitHub or SourceForge repository and copies a command into their terminal, believing they are installing legitimate software.
That single command silently downloads an MSI installer file and runs it using Windows’ built-in installer tool, kicking off the entire chain. The MSI file then drops a CMD file and a PowerShell script onto the victim’s machine.
YouTube posts linking to the malicious GitHub repositories (Source – Malwarebytes)
The PowerShell script installs the Deno JavaScript runtime using standard Windows package managers called Scoop and WinGet, which makes the activity appear far less suspicious to security tools. Once Deno is in place, it fetches and runs the DinDoor backdoor directly from the attacker’s server.
DinDoor then establishes persistence by creating a Windows registry run key, ensuring the malware restarts every time the machine boots up.
The backdoor quietly communicates with the C2 server, pulling down additional payloads and sending back information about the compromised system.
The same backdoor was also distributed through SourceForge pages mimicking a game booster called GearUP and an AI watermark remover called BWR, showing that the attackers are not limiting themselves to AI chatbot lures alone.
The Deno RAT and Its Hidden Capabilities
The RAT delivered through DinDoor is built on the same Deno JavaScript runtime and carries an extensive set of spying and data theft tools.
It targets over 50 crypto wallet browser extensions and software wallets including Atomic Wallet, Exodus, and Electrum, posing a direct financial risk to anyone in the crypto space.
One of its most unusual features is a peer-to-peer video streaming mode that hijacks the Microsoft Edge browser.
GitHub repository for fake ChatGPT installer (Source – Malwarebytes)
The RAT silently launches a hidden Edge process, injects a small web page into it, and uses that page to stream live video of the victim’s screen directly to the attacker without routing it through any central server, which makes it much harder to detect.
The RAT also supports SOCKS5 proxy tunnels, full remote desktop control via a custom VNC setup, and can execute commands using PowerShell.
A lighter version of the RAT called “agent-lite” was also found, which routes its communications through Cloudflare Workers for even greater anonymity.
Users are strongly advised to download software only from official vendor websites and to be cautious of free or cracked versions of paid tools.
Before running any downloaded file, checking its publisher and digital signature using Windows Properties is a simple but effective first step in spotting something suspicious.
Indicators of Compromise (IoCs):-
Type Indicator Description
URL https[:]//github.com/claude-free-plugin/ Malicious GitHub repository distributing fake Claude installer
URL https[:]//github.com/ai-gen-profi Malicious GitHub repository for fake AI software
URL https[:]//github.com/wharfdemolisherpit Malicious GitHub repository for fake software
URL https[:]//sourceforge.net/projects/gearup/ Fake GearUP game booster on SourceForge
URL https[:]//sourceforge.net/projects/bluewaveremover/ Fake BWR AI watermark remover on SourceForge
Domain claudescript[.]top Distribution website for DinDoor malware
Domain ms-telemetry-gateway-us[.]com Command-and-Control (C2) server
Domain dakatawebstick[.]com Command-and-Control (C2) server
Domain ashpaltlonpro[.]com Command-and-Control (C2) server
Domain cf-proxy[.]cloud-analytics-services[.]workers.dev Cloudflare-based C2 server
Domain agilemast3r[.]duckdns[.]org Command-and-Control (C2) server
Domain geralnewlong[.]com Command-and-Control (C2) server
Domain hngfbgfbfb[.]cyou Command-and-Control (C2) server
Domain logicalnewrestore[.]com Command-and-Control (C2) server
IP Address 23[.]227[.]196[.]107 Command-and-Control (C2) server
IP Address 45[.]137[.]99[.]121 Command-and-Control (C2) server
IP Address 31[.]57[.]129[.]23 Command-and-Control (C2) server
IP Address 66[.]78[.]40[.]107 Command-and-Control (C2) server
IP Address 193[.]233[.]198[.]132 Command-and-Control (C2) server
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
Tags
cyber security
cyber security news
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Tushar Subhra Dutta
Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics.
Trending News
Apple’s New Anti-Snatching Feature Will Auto-Lock iPhones When Stolen From Your Hand
TamperedChef Malware Uses Signed Productivity Apps to Deliver Stealers and RATs
Anthropic’s Claude Mythos Preview Uncovers 10,000+ 0-Days in Project Glasswing
Nine-year-old Linux Kernel Vulnerability Let Attackers Exfiltrate SSH Private Keys
Fake Invitation Phishing Campaign Targets U.S. Organizations With Credential Theft
Latest News
ANY.RUN
How Top CISOs Increase Risk Visibility for Zero Critical Incidents
Cyber Security News
Hackers Abuse AI Chatbot Recommendations to Push Malicious Software Download Links
Cyber Security
Motorola Phones Preinstalled App Found Hijacking Amazon App to Inject Affiliate Codes
AI
Attackers Can Exploit BadHost to Access Sensitive AI Agent Server Endpoints
Android
New BTMOB Malware Lets Attackers Remotely Control Android Devices